MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 493de296e5ae30daadf0dc5a1bf4fbfea1bd43d3214fff68d22f1bc38927c399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 493de296e5ae30daadf0dc5a1bf4fbfea1bd43d3214fff68d22f1bc38927c399
SHA3-384 hash: 90f85af0a9f2d322e8529807c3158bc0b5dbaa0ed3a60d4d6fbd285d531867444dd2efb2a1cc33366141dfd91b26d29e
SHA1 hash: 51fd00e20733a4ae0299bff18f6ee7594e4dd494
MD5 hash: 473f71050681fc3f442d9ec340ba3207
humanhash: october-delaware-lake-speaker
File name:493DE296E5AE30DAADF0DC5A1BF4FBFEA1BD43D3214FF.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:182'784 bytes
First seen:2021-11-04 23:25:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5dbcbed365563713c1a9bb2780528a54 (5 x ArkeiStealer, 3 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 3072:pDjOEm6AhkjO7jAr2dK5RrcPI1ZecJg8EuSzsz:pDiEmbkjO7jpQcPI1bJ0uSz+
Threatray 7'055 similar samples on MalwareBazaar
TLSH T17C04BE10F690D3B2C356017EA821CAECD62DB86CEFE166333B5465DF5E782937532261
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.143/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.143/ https://threatfox.abuse.ch/ioc/243036/

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
493DE296E5AE30DAADF0DC5A1BF4FBFEA1BD43D3214FF.exe
Verdict:
No threats detected
Analysis date:
2021-11-04 23:29:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/845222f8-6716-44fd-a9f6-9a97da7271f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202510/
Detection(s):
Win.Packed.Generic-9897548-0
Create hunting rule

Win.Packed.Filerepmetagen-9897698-0
Create hunting rule

Win.Packed.Fragtor-9897699-0
Create hunting rule

Win.Packed.Fragtor-9898137-0
Create hunting rule

Win.Packed.Generic-9898145-0
Create hunting rule

Win.Packed.Fragtor-9898153-0
Create hunting rule

Win.Packed.Generic-9898156-0
Create hunting rule

Win.Packed.Generic-9898162-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61846c0ec03a81a50240fa93/reports/34306d78-859e-4f30-aedb-62ca2ba152a2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/858f41f5-67ab-46a2-b450-cc472d8bf459
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/883617
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 516051 Sample: 493DE296E5AE30DAADF0DC5A1BF... Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 32 camasirx.com 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 5 other signatures 2->48 8 493DE296E5AE30DAADF0DC5A1BF4FBFEA1BD43D3214FF.exe 2->8         started        11 sgrujrv 2->11         started        signatures3 process4 signatures5 60 Detected unpacking (changes PE section rights) 8->60 62 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->62 64 Maps a DLL or memory area into another process 8->64 66 Creates a thread in another existing process (thread injection) 8->66 13 explorer.exe 4 8->13 injected 68 Antivirus detection for dropped file 11->68 70 Multi AV Scanner detection for dropped file 11->70 72 Checks if the current machine is a virtual machine (disk enumeration) 11->72 process6 dnsIp7 36 lecanardstsornin.com 13->36 38 gmpeople.com 187.212.183.165, 80 UninetSAdeCVMX Mexico 13->38 40 9 other IPs or domains 13->40 24 C:\Users\user\AppData\Roaming\sgrujrv, PE32 13->24 dropped 26 C:\Users\user\AppData\Local\Temp\C436.exe, PE32 13->26 dropped 28 C:\Users\user\AppData\Local\Temp\27D3.exe, PE32 13->28 dropped 30 C:\Users\user\...\sgrujrv:Zone.Identifier, ASCII 13->30 dropped 74 System process connects to network (likely due to code injection or exploit) 13->74 76 Benign windows process drops PE files 13->76 78 Deletes itself after installation 13->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->80 18 C436.exe 5 13->18         started        22 27D3.exe 13->22         started        file8 signatures9 process10 dnsIp11 34 193.150.103.37, 29118, 49833 ASGENERALTELRU Russian Federation 18->34 50 Multi AV Scanner detection for dropped file 18->50 52 Detected unpacking (changes PE section rights) 18->52 54 Detected unpacking (overwrites its own PE header) 18->54 58 4 other signatures 18->58 56 Machine Learning detection for dropped file 22->56 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/493de296e5ae30daadf0dc5a1bf4fbfea1bd43d3214fff68d22f1bc38927c399/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 08:44:25 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=je66ffxfvyynvlpq3rnbx5h372q32q6tefh762gsf4n4hcjhyomq._file
Verdict:
malicious
Similar samples:
1e5296130fabed3cedc5762615f59bc3c803698b3c68ffdb1f69dccf31994c60
RaccoonStealer
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
RaccoonStealer
63a0529f4fe968a72d4e82240c02181f200e387b0c037df314478d3b913a9481
RaccoonStealer
b4b9574d1681e6fa3fda139c0f58773c5f2850b25f345fd9d8b358cb02044189
RaccoonStealer
e18c425d6d09aa75e6f1f7a837c76775a2b10737422febf875d92d43a404a6c2
RaccoonStealer
fd3c9f2f464842f920343e549ec0f047c97a388de21d05725a5e8e3a0c845b68
RaccoonStealer
+ 7'045 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211104-3et5gahhf4/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Drops startup file
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Unpacked files
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/9513cbb0-791c-4c06-9f7a-547494646688/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
493de296e5ae30daadf0dc5a1bf4fbfea1bd43d3214fff68d22f1bc38927c399
MD5 hash:
473f71050681fc3f442d9ec340ba3207
SHA1 hash:
51fd00e20733a4ae0299bff18f6ee7594e4dd494
Link:
https://www.unpac.me/results/9513cbb0-791c-4c06-9f7a-547494646688/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/493de296e5ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/493de296e5ae30daadf0dc5a1bf4fbfea1bd43d3214fff68d22f1bc38927c399

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/202510/

Comments